Risks of Losing Portable Devices

The point is that it's now amazingly easy to lose an enormous amount of information. Twenty years ago, someone could break into my office and copy every customer file, every piece of correspondence, everything about my professional life. Today, all he has to do is steal my computer. Or my portable backup drive. Or my small stack of DVD backups. Furthermore, he could sneak into my office and copy all this data, and I'd never know it.

This problem isn't going away anytime soon.

There are two solutions that make sense. The first is to protect the data. Hard-disk encryption programs like PGP Disk allow you to encrypt individual files, folders or entire disk partitions. Several manufacturers market USB thumb drives with built-in encryption. Some PDA manufacturers are starting to add password protection -- not as good as encryption, but at least it's something -- to their devices, and there are some aftermarket PDA encryption programs.

The second solution is to remotely delete the data if the device is lost. This is still a new idea, but I believe it will gain traction in the corporate market. If you give an employee a BlackBerry for business use, you want to be able to wipe the device's memory if he loses it. And since the device is online all the time, it's a pretty easy feature to add.

But until these two solutions become ubiquitous, the best option is to pay attention and erase data. Delete old e-mails from your BlackBerry, SMSs from your cell phone and old data from your address books -- regularly. Find that call log and purge it once in a while. Don't store everything on your laptop, only the files you might actually need.

EDITED TO ADD (2/2): A Dutch army officer lost a memory stick with details of an Afgan mission.

Comments

I don't buy the remote deleting option. It might work for loss but for intentional theft the thief will just ensure the device doesn't have access to the network, wireless or otherwise; not a difficult thing to do and the data is still accessible.

On the other hand, something I've considered for my encrypted laptop is to clear the encryption key from memory (or take other meaningful action) if the laptop comes out of hibernation and doesn't find a wireless access point from some preconfigured list. Same idea but default off (unaccessible) rather than default on (accessible).

problem might be:
if you can delete your harddrive remotely, in case someone else steals it, there is quite as well the possibilty that *someone * else deletes *your* drive, while you have it.
Of course, you'll have that access point secured, but if there was absolute security, there'd be no need for this blog. I'd think twice about going on a business trip with all my data on a device which has a remote-delete function already built-in.

I don't need bulletproof security, so I may be whistling Dixie out my butt. Let me run this past everyone here. If I have to carry sensitive data with me, what if I carry the data encrypted, but split it in half onto two different thumbdrives? Sort of like a striped drive. If I forget one of the thumbdrives somewhere, then both thumbdrives are worthless. It's something like a safe deposit box that requires two keys.

Depending on what exactly you mean by "split it in half". To do it right, what you need to do is fill one thumbdrive with random data, and the other with the XOR of the secret data and the random data from the other drive. That way, either is useless without the other.

Filling a thumbdrive with cryptographically secure random data is left as a (non-trivial) exercise to the reader.

While this might work in some situations, the fact is that you're still carrying both drives with you and they both have to be present when you wish to access the data. If you're going to forget one drive, what's to stop you from forgetting two?

This also has convenience issues, because both drives must be present (demanding at least two free USB drives) and, somehow, their content must be combined in some way. Unless the encryption program natively supported splitting up the encrypted data across drives/locations, recombining the files from both drives every time you wish to access something might prove obnoxious. Ultimately, ff this feature were not left up to the user to perform manually, it would stand a much greater chance of being successful.

"The second solution is to remotely delete the data if the device is lost."

Or delete the data after n failed attempts to access it. One of the cool things about remote devices is that they are regularly 'synced', so wiping the data after five or six failed login attempts is not as extreme as it might normally seem. Remote-control is weaker since it's subject to connectivity issues, as others have pointed out above.

Incidentally, one thing I continuously find with the isolated encryption solutions (converters, partitions, etc. as opposed to whole-disk) is that people often forget to secure-erase the original docs after they have moved them to the secure format. The non-secure/slack space used by the system doing the encryption is often a treasure-trove on its own, obviating any need to break the encryption itself to get what you need...

On the subject of disk encryption; maybe Bruce could qualify for some of that DHS open source review money and do an analysis of some open source disk encryption systems. FreeBSD's GBDE and GELI come to mind. I can hope, can't I :-)

On my GNU/Linux laptop I use encFS, a pseudo file system running under FUSE. It is convenient enough while giving me a lot of peace of mind: a directory tree is used to store the encrypted data as files (I don't have to set aside an entire partition) and by mounting this tree (with a password that's distinct from the login password) I get access to the plaintext files. I can backup the encrypted file tree with normal copy or backup tools without revealing the plaintext versions. And an inactivity timeout on encFS can unmount the plaintext filesystem to reduce the chance that an intruder gets to the plaintext data while I'm off to get more coffee.

Yes, number of files and directories, modification dates, file sizes, and approximate lengths of names can be gleaned from examining the encrypted file tree, but none of those things are of concern to me.

@jmc
it seems there's two issues- protecting the data and restoring it in the event of a loss. clearly HD encryption and remote wipe capability are not the entire solution, you need to have solid backup procedures in place as well. i'm not advocating having the data ONLY exist on your laptop- you should do incrementals as often as necessary dependent on the value of the data you're protecting. you should probably also do a periodic full backup in another location on another medium if you're really paranoid about losing stuff.

@another_bruce
i think he was speaking more for the scenario that he only ever uses his laptop online and therefore, the encryption process he ideally wants should have to retrieve a token from somewhere else to ensure that the laptop has a connection in order to be used. in this scenario, he has the ability to issue a remote wipe as soon as it's stolen and can rest assured that the contents cannot be accessed until it has a connection again (ie. it must have the ability to check to ensure that a wipe directive has not been issued before it can ever be accessed).

I know the people at Absolute.com (with whom i have no connection other than I wrote the article above and their technology won) have been working with the OEMs to get their lojack technology embedded in the Bios. currently it resides on the HD and therefore can be subverted by swapping out the HD. When it's at the bios level, at that point you'd have to do some soldering on the motherboard to kill it.

It could still be subverted by swapping out the HD. Simply put the device's HD into a computer that doesn't have a self-destructing BIOS... and boot off a LiveCD, in case the self-destruct code is on the HD as well.

@jammit: if you use TrueCrypt, then you have a solid security program and your second drive could contain a key to decrypt the first drive

I am a big fan of TrueCrypt (mentioned by Sean above). The security seems very solid and it is a breeze to use. It allows you to create a virtual encrypted disk within a file, and then mount it as a real disk. TrueCrypt can also encrypt an entire partition or storage device/medium (e.g., USB thumb drive).

www.truecrypt.org

I wrote a SLAX module for TrueCrypt, which allows you to access your encrypted data with nearly zero risk of any sensitive data being cached/written to an unencrypted hard drive. Boot up in SLAX (Linux Live CD), then access any CDs, DVDs, or USB drives without touching the computer’s hard drive. (See http://tinyurl.com/8u2vk for the SLAX module)

I'll throw in another vote for TrueCrypt. Very nice program. Easy to set up a hidden partition on a removable drive. Lose the drive and no one can even see the hidden partition, so they can't even begin to decrypt it.

The one issue I have with remote delete is that it is easily circumvented. Had I stolen a cell phone specifically to get at the information, the first thing would be to bring it to my byasement, where no cell phones have reception, and where I could copy and analyse the data as long as I wanted to. Similarly, snapping off the antenna of a remote-killable laptop would work, I assume.

There is something I don't understand about truecrypt's steganographic feature. This feature ostensibly allows you to plausibly deny the existance of a hidden truecrypt drive inside another truecrypt drive because the encrypted data are completely random. Isn't this proof that the truecrypt drive exists? My unencrypted drive is not full of completely random data; even after the OS writes and rewrites the disk, remnants of the original (non-random) data should still be there. What am I missing?

The problem with adding any sort of remote delete or any sort of delete-on-fail scheme to a device with persistant storage would be power. If I want to get the secret data off of someone's laptop I just stole, the first thing I do is separate the battery from the hard drive. Unless you get a hard drive with a hidden backup battery built in, how can it wipe itself, via remote control or otherwise?

You're missing the fact that the hidden drive is occupying the free space inside an already encrypted drive, which is usually filled with random data anyway (see http://www.truecrypt.org/hiddenvolume.php). If the encrypted data is truely indistinguishable from random data, then you can't find it (or at least you can't prove you found it) unless you know the key.

Cheburashka: I used PGP Disk to create an encrypted segment on a Lexar drive. It uses most of the space on the Lexar, leaving only a small percentage for non-critical files I want to more easily move around. Works great.

As far as securing PDAs goes, I have been using TealLock, which allows me to use Blowfish on my Palm. As usual, the security is only as good as the passphrase. But it's a whole lot better than the built-in system, which does not encrypt at all but only locks the Palm at start-up.

Chebaruashka: The SanDisk Cruzer Profile is a good fingerprint-secured USB device. It has a partition that is keyed on your fingerprint and is always encrypted. Perfect for Joe User, just don't lose your fingers.

In terms of protecting hard disks of Windows computers, I recommend SecureDoc by WinMagic. I bought the "Personal" edition from TigerDirect for only $68CDN ($50US). A great deal considering it is just a mildly limited version of the Professional edition extensively used by US gov't agencies.

There was mention of the Lexar USB memory stick with fingerprint "protection". I have one and it's rubbish, don't waste your money. The problem is you have to save the file unencrypted on the USB stick then encrypt it. The original file is "deleted" but can be recovered. Making the encryption useless.

I use Truecrypt to encrypt the entire USB memory stick, there's no chance of leaving a file unencrypted on the USB stick as the whole device is encrypted at all times - a much more secure solution.

I am looking for a program that is a security vault "folder" with a password protection... in order for anyone to access the information or folder... they must enter the password... and it must also be encrypted for security purposes...

Here's one from an old sci-fi story I never got beyond outlining. A computer operator is asked to produce 50 questions with one word answers. What was the name of the girl that... or what color was your bedroom wall when you were 10 years old? The kind of unrecorded trivia we all have in out heads. The master program in the computer has the questions and answers and selects a question based on time of day, date, air temperature etc. The operator has ten seconds to answer the question. If the person accessing the computer misses two questions in a row the computer erased itself. No password to remember or write down (or steal) because the "password" is something the owner already knows, yet it is never the same twice because once used a password-question set is locked out for a preset time. The Bad guys studied the victim intensively, but missed the only thing his pet dog refused to eat (onions) and then missed the first kid he ever won a fight with (first name).
So can this be done with modern storage media-sure. Can it be made practical? probably. Can it be made MARKETABLE? Good luck. If you get it working can I have one?

Hello,
Can anyone tell me the answer to the following question? I have this on my test and I can't seem to find any info.
Question:
Which of the following would erase the files saved on a thumb drive?
A. Magnetic Field
B. Cold
C. Heat
D. High Voltage